In a new phishing campaign spreading the BazarBackdoor malware, a Microsoft Windows 10 app feature is being exploited.
On Thursday, Sophos Labs experts reported that the attack was detected when spam emails were sent to the cybersecurity firm's own employees — but these emails weren't just any spam; they were written with at least a minimal amount of social engineering.
One of the emails, from the non-existent "Adam Williams," a "Sophos Main Manager Assistant," requested to know why a researcher hadn't addressed a customer's complaint. The email also included a PDF link to the message to make resolution easy.
The link, however, was a hoax that demonstrated a "new" approach for spreading the BazarBackdoor malware.
Sophos researcher Andrew Brandt explained, "In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link."
Sophos stated to be "unfamiliar" with this strategy, which involves exploiting the Windows 10 App installation process to transmit malicious payloads.
The phishing bait directs prospective victims to a website that uses the Adobe brand and invites them to click on a button to preview a PDF file. When users move the mouse over the link, the prefix "ms-appinstaller" appears.
This link then links to a text file called Adobe.appinstaller, which in turn points to a larger file called Adobe_.7.0.0_x64appbundle, which is hosted on a different URL.
A warning notification appears and a notice that software has been digitally signed with a certificate issued several months ago. (The certificate authority has been notified of the misuse by Sophos.)
The victim is then urged to approve the installation of "Adobe PDF Component," and if they comply, the BazarBackdoor malware is installed and launched in seconds.
BazarBackdoor is similar to BazarLoader in that it connects via HTTPS, but it is distinguished by the volume of noisy traffic it creates. BazarBackdoor can exfiltrate system data and has been connected to Trickbot and the probable deployment of Ryuk ransomware.
Brandt stated, "Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."
